IOS Reverse Development - Summary of Terminal Tool Commands (1)

Sometimes it is easy to forget some terminal commands. Here is a list of common reverse command tools that do not involve installation and configuration.

Summary of some Mac terminal commands

Cat file: displays the file content on the terminal

Touch files: Create files

vim

Vim files: read files with files to edit, create files without files to edit

Shift + I key: You can enter text

Esc: Exits the editing mode

Shift + : : after exiting the editing mode, press the two keys and enter wq to save and exit vim

Dd: After exiting the editing state, press d twice to delete the line where the cursor is

SSH remote login command (openSSH installed on Cydia)

SSH root@iPhone IP address: Log in to the mobile phone as user root

SSH mobile@iPhone IP address: Use common rights to log in to the mobile phone

Passwd: change the password of user root (default alpine)

Passwd mobile: change the password of a common user

Log in to the root user

ssh-keygen

Ssh-copy-id root@MOBILE PHONE IP address

Usb login

Decompress the USBmuxd tool package to obtain the python-client path

python … (Path) /python-client/tcprelay.py -t 22:10010: USB interface mapping (keep terminal window running)

SSH root@localhost -p 10010: Open another terminal, use port mapping, and use USB connection to log in

You can run these two commands separately as sh files

After setting up the USB connection environment, you can use commands to copy files

SCP -p 10010 Source directory root@localhost: Destination directory: MAC Copy to mobile phone

SCP -p 10010 root@localhost: source file path Destination directory path: Mobile phone copy to MAC

After logging in to the mobile phone, you can restart the mobile phone using the terminal

Reboot: Restarts the mobile phone

Killall SpringBoard: restarts the mobile phone interface

ps

Ps-a: List of all processes of the phone (including running apps)

Ps – A | grep XXX: list contains XXX process, used to filter the running App

cycript

Cycript -p executable file path: THE App enters the Cycript debug environment

@import MJcript: Import third-party scripts to assist MJcript debugging

CTRL + D: Exits debugging

Cycript grammar

UIApp–> [UIApplication sharedApplication]

Var variable name –> create a variable (similar to Swift)

# memory address –> Get concrete objects by address

* Object –> View all member variables of the object

Objectc.classes –> get all OC classes loaded

The recursiveDescription (). The toString () – > print view all child controls

Choose (UIViewController)–> Get all the objects of UIViewController
Mjcript debug functions

MJAppId –> get the bundle ID

MJAppPath – > App path

MJDocPath – > the Documents path

MJCachesPath – > Caches path

MJFrontVc() –> Get the current controller

MJInstanceMethodNames(class name, or # memory address) –> list of object methods of the class

MJKeyWin –> Get keyWindow MJVcSubviews –> recursively print UIViewController view hierarchy MJFrontVcSubViews –> recursively print UIViewController View’s hierarchical structure MJBtnTouchUpEvent –> gets the method names of all TouchUpInside events bound to the button

. (See the MJcript file for more usage)

class-dump

Class-dump -h mach-o file path -o Save path: Export the Mach-o header file

file

File File path: View the Mach-O file type

lipo

Lipo: Commonly used for multi-architecture Mach-O file processing

Lipo-info File path: View architecture information

Lipo file path – THIN architecture type (arm64, armV7) -output Output file path: export a specific architecture

Lipo file path 1 File path 2 -output Output file path: combines multiple schemas

Shell tool use command

Dumpdecrypted: A terminal logs in to the phone to decrypt it. After decrypting, the executable file is in the directory of the dumpdecrypted. Dylib dynamic library

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib Path to the executable file of the software to be decrypted

Ldid-s dumpdecrypted. Dylib: The decrypting process encountered a signature error, which can be signed
Frida-ios-dump: CD the frida-ios-dump file to the root directory of the frida-ios-dump file, set up the USB mapping environment, and then remove the file

Python dump.py -l: View the list of programs

Py com.xxx. XXX: unshell the bundle ID com.xxx. XXX

theos

After you have configured the TheOS environment, set up the USB port mapping

Nic.pl: Create the Theos project

Compile the make:

Make package debug=0: package

Make install to install

Make clean: Clear the compilation

ldid

We can extract the permissions of some high-privilege executables and attach them to our own executables
- SpringBoard, for example, has very high permissions
Ldid-e SpringBoard > SpringBoard. Entitlements: Extract permissions

Ldid – SSpringBoard. Entitlements XXXX: additional permissions to XXX

lldb

Configure mobile App dynamic debugging
- Setting up usb port mapping
Add a new mapping port such as 10012:10011 after usb port setup command

python ... (Path) /python-client/tcprelay.py -t 22:1010 10012:10011

Open another terminal to log in to the mobile phone

Debugserver localhost:10012 -a XXXX: Sets up the LLDB debugging port

Open another terminal

LLDB: The LLDB debugging environment is displayed

Process the connect connect: / / localhost: 10011: connect phone XXXX program debugging
After the LLDB debugging environment is set up, dynamic debugging is enabled

IOS Reverse Development – Terminal Tool Command Usage summary (2) -lldb command

Codesign signature

Extract signature permissions from the new certificate description file (Embedded. Mobileprovision)

security cms -D -i embedded.mobileprovision > temp.plist

/usr/libexec/PlistBuddy -x -c 'Print:Entitlements' temp.plist > entitlements.plist

Security find-identity -v -p coDesigning: Check the certificate ID

Codesign-fs certificate ID — Entitlements. Plist XXX. App: Re-sign to APP

Codesign-fs certificate ID xxx.dylib: sign the dynamic library

Inject dynamic libraries inside xxx.app

Insert_dylib @executable_path/xxx.dylib executables --all-yes --weak executables
Modify the dynamic library reference path

install_name_tool -change ... /mmm.dylib(old path) @loader_path/mmm.dylib(new path) xxx.dylib

otool

Otool -l xxx.dylib: check the path of the dynamic dependent library.

Otool -l executable file | grep crypt: check to see if the Mach – O packers

ASLR

Gets the address offset in the program loaded memory
- First, set up the LLDB dynamic debugging environment
  
  image list -o -f
  
  Image list – o – f | grep App executable file: convenient to filter the view

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

IOS Reverse Development – Summary of Terminal Tool Commands (1)

Summary of some Mac terminal commands

vim

SSH remote login command (openSSH installed on Cydia)

ps

cycript

class-dump

file

lipo

Shell tool use command

theos

ldid

lldb

Codesign signature

otool

ASLR

IOS Reverse Development – Summary of Terminal Tool Commands (1)

Summary of some Mac terminal commands

vim

SSH remote login command (openSSH installed on Cydia)

ps

cycript

class-dump

file

lipo

Shell tool use command

theos

ldid

lldb

Codesign signature

otool

ASLR

Related Posts

ReactorKit + RxDataSources list multiple refresh solutions

Summary of selected articles in this blog (continuously updated)

Swift download function